Privacy Policy

This Privacy Policy informs you about the nature, scope, and purpose of processing personal data (hereinafter referred to as “Data”) within our online offering and related websites, functions, and content, as well as external online presences such as our social media profiles (collectively referred to as the “Online Offering”). Regarding the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller:

  • Name/Company: Stefan Mueller Sole Proprietorship
  • Address: Niederwindhagener Str. 56, 53578 Windhagen, Germany
  • Owner: Stefan Mueller
  • Phone number: +4915253963817
  • Email: mueller@leenway.com

Data Protection Officer:

  • Name/Company: Stefan Mueller Sole Proprietorship
  • Address: Niederwindhagener Str. 56, 53578 Windhagen, Germany
  • Owner: Stefan Mueller
  • Phone number: +4915253963817
  • Email: mueller@leenway.com

Types of Processed Data:

  • Personal data (e.g., names, addresses)
  • Contact data (e.g., email, phone numbers)
  • Content data (e.g., text input, photographs, videos)
  • Contract data (e.g., subject matter, duration, customer category)
  • Payment data (e.g., bank details, payment history)
  • Usage data (e.g., visited websites, content interests, access times)
  • Meta/communication data (e.g., device information, IP addresses)

Processing of Special Categories of Data (Art. 9 (1) GDPR):
No special categories of data are processed.

Categories of Individuals Affected by Data Processing:

  • Customers, prospects, visitors, and users of the online offering, business partners
  • Visitors and users of the online offering
    We collectively refer to the affected individuals as “Users.”

Purpose of Processing:

  • Provision of the online offering, its content, and shop functions
  • Fulfillment of contractual services, customer service, and care
  • Responding to contact inquiries and communication with users
  • Marketing, advertising, and market research
  • Security measures

Last updated: November 2020

1. Terminology 1.1 “Personal data” refers to all information related to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified directly or indirectly, particularly by reference to an identifier such as a name, ID number, location data, online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.2 “Processing” refers to any operation or set of operations performed on personal data, with or without the aid of automated processes. The term is broad and covers virtually any handling of data.

1.3 The term “Controller” refers to a natural or legal person, authority, institution, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.

2. Legal Bases In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. Unless otherwise stated in this privacy policy, the following applies:

  • The legal basis for obtaining consent is Art. 6 (1) (a) and Art. 7 GDPR
  • The legal basis for processing for the performance of our services and the implementation of contractual measures, as well as responding to inquiries, is Art. 6 (1) (b) GDPR
  • The legal basis for processing to fulfill our legal obligations is Art. 6 (1) (c) GDPR
  • The legal basis for processing to safeguard our legitimate interests is Art. 6 (1) (f) GDPR
    If vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 (1) (d) GDPR serves as the legal basis.

3. Changes and Updates to the Privacy Policy
We kindly ask you to regularly review the content of our Privacy Policy. We will adjust the Privacy Policy whenever changes to our data processing activities make this necessary. We will inform you if any changes require your involvement (e.g., consent) or any other individual notification.

4. Security Measures
4.1. In accordance with Article 32 of the GDPR, we take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons. These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data as well as access, input, transfer, availability, and separation of the data. Additionally, we have procedures in place that allow for the exercising of data subject rights, the deletion of data, and the response to data threats. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).

4.2. A key security measure is the encrypted transmission of data between your browser and our server.

5. Disclosure and Transfer of Data
5.1. If we disclose, transmit, or otherwise provide access to data to other individuals or companies (processors or third parties) during processing, this is done solely based on legal permission (e.g., if the transfer of data to third parties, such as payment service providers, is necessary for contract fulfillment according to Article 6(1)(b) of the GDPR), if you have given your consent, if a legal obligation allows this, or based on our legitimate interests (e.g., when using agents, hosting providers, tax, legal, or business advisors, customer management, accounting, billing, and similar services that allow us to efficiently and effectively fulfill our contractual obligations and administrative duties).

5.2. If we commission third parties to process data based on a so-called “data processing agreement,” this is done according to Article 28 of the GDPR.

6. Data Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs within the use of third-party services, disclosure, or transfer of data to third parties, this will only be done if it is necessary for fulfilling our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special conditions of Articles 44 and following of the GDPR are met. This means the processing is carried out, for example, on the basis of specific guarantees such as the officially recognized level of data protection corresponding to the EU (e.g., in the USA under the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “Standard Contractual Clauses”).

7. Rights of Data Subjects
7.1. You have the right to request confirmation as to whether data concerning you is being processed and to request information about this data, as well as further information and a copy of the data, in accordance with Article 15 of the GDPR.

7.2. In accordance with Article 16 of the GDPR, you have the right to request the correction or completion of inaccurate data concerning you.

7.3. In accordance with Article 17 of the GDPR, you have the right to request the immediate deletion of data concerning you, or alternatively, to request a restriction of the processing of the data in accordance with Article 18 of the GDPR.

7.4. You have the right to request that the data you have provided to us be made available in accordance with Article 20 of the GDPR and to request its transfer to other controllers.

7.5. Additionally, in accordance with Article 77 of the GDPR, you have the right to lodge a complaint with the relevant supervisory authority.

8. Right of Withdrawal
You have the right to revoke consents granted in accordance with Article 7(3) of the GDPR with effect for the future.

9. Right to Object
You have the right to object at any time to the future processing of your personal data in accordance with Article 21 of the GDPR. This applies particularly to the processing of data for direct marketing purposes.

10. Cookies and Right to Object to Direct Advertising
10.1. “Cookies” are small files that are stored on users’ devices. Various pieces of information can be stored within a cookie. Primarily, cookies are used to store user-related information (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves the online service and closes their browser. A session cookie can store, for example, the contents of a shopping cart in an online store or a login status. “Permanent” or “persistent” cookies are cookies that remain stored even after the browser is closed. For example, the login status can be saved if users return after several days. Similarly, users’ interests may be stored in such a cookie, which is used for reach measurement or marketing purposes. “Third-party cookies” are cookies provided by other providers than the party responsible for operating the online service (otherwise, if they are only its cookies, they are called “first-party cookies”).

10.2. We use both temporary and permanent cookies and explain this in our Privacy Policy.
If users do not wish for cookies to be stored on their device, they are asked to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Excluding cookies can lead to restrictions in the functionality of this online service.

10.3. A general objection to the use of cookies for online marketing purposes can be made through various services, especially in the case of tracking, via the US-based site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by disabling them in the browser settings. Please note that in this case, some functions of this online service may not be fully usable.

11. Data Deletion
11.1. The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 of the GDPR. Unless explicitly stated within this Privacy Policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose, and there are no legal retention obligations that prevent its deletion. If the data is not deleted because it is needed for other, legally permissible purposes, its processing will be restricted. That means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

11.2. In Germany, retention follows statutory requirements, particularly for six years under § 257(1) HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.), and for ten years under § 147(1) AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).

11.3. In Austria, the retention period is typically seven years under § 132(1) BAO (accounting records, vouchers/invoices, accounts, receipts, business papers, statements of income and expenses, etc.), 22 years in connection with real estate, and ten years for records related to electronically provided services, telecommunications, broadcasting, and television services provided to non-entrepreneurs in EU member states, for which the Mini-One-Stop-Shop (MOSS) is used.

12. Order Processing in the Online Shop and Customer Account
12.1. We process our customers’ data in the context of order processes in our online shop to enable them to select and order the chosen products and services, as well as to enable payment and delivery, or execution.

12.2. The processed data includes inventory data, communication data, contract data, payment data, and the data subjects include our customers, prospects, and other business partners. The processing is carried out for the purpose of providing contractual services in the context of the operation of an online shop, billing, delivery, and customer services. Here, we use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

12.3. Processing is based on Article 6(1)(b) (carrying out order transactions) and (c) (legally required archiving) of the GDPR. The information marked as required is necessary for the conclusion and fulfillment of the contract. We disclose the data to third parties only in the context of delivery, payment, or as legally permitted and required, e.g., to legal advisors and authorities. Data is processed in third countries only if necessary for contract fulfillment (e.g., at the customer’s request for delivery or payment).

12.4. Users can optionally create a user account, allowing them to view their orders. During registration, the required mandatory information is communicated to the users. User accounts are not public and cannot be indexed by search engines. If users terminate their user account, their data concerning the user account will be deleted, provided its retention is not required for commercial or tax reasons in accordance with Article 6(1)(c) of the GDPR. Information in the customer account remains until its deletion, with subsequent archiving in the case of legal obligations. It is the users’ responsibility to back up their data before the end of the contract in case of termination.

12.5. When registering and logging in again or using our online services, we store the IP address and the time of each user action. Storage is based on our legitimate interests and those of the users in protection against abuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties, except when necessary for pursuing our claims or there is a legal obligation to do so under Article 6(1)(c) of the GDPR.

12.6. Data is deleted after the expiration of statutory warranty and comparable obligations, with the necessity of retaining the data being reviewed every three years. In the case of statutory archiving obligations, deletion occurs after their expiration (end of commercial (6 years) and tax law (10 years) retention obligations). Information in the customer account remains until it is deleted.

13. Business Analyses and Market Research
13.1. To run our business economically, recognize market trends, and understand customer and user preferences, we analyze the data available to us about business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, and metadata based on Article 6(1)(f) of the GDPR, with data subjects including customers, prospects, business partners, visitors, and users of the online service. The analyses are conducted for business evaluations, marketing, and market research purposes. In this context, we may consider the profiles of registered users with details such as their purchase transactions. The analyses help us improve user-friendliness, optimize our offering, and ensure business efficiency. The analyses are for our use only and are not disclosed externally unless they are anonymous and aggregated.

13.2. If these analyses or profiles are personal, they will be deleted or anonymized upon user termination, otherwise two years after contract conclusion. Overall economic analyses and general trend determinations are created anonymously wherever possible.

Credit Check for Customers
A credit check is permissible if there is a risk of payment default, meaning when goods are delivered without receiving payment upfront (e.g., if the customer opts for purchase on account). However, there is no risk of default if the customer chooses advance payment or makes payment through third-party services like PayPal.

Moreover, obtaining an automated credit check constitutes “automated decision-making” under Article 22 of the GDPR, meaning a legal decision without human involvement. This is permissible if the customer consents or if the decision is necessary for concluding the contract. Whether this necessity is conclusively determined is still debated, but many, including the author of this template, consider it given. However, to exclude any risk, you should obtain consent.

Consent is also necessary if the credit check is used to decide whether the “purchase on account” option is shown to the customer. It could be that the customer might have chosen advance payment or PayPal, making the credit check unnecessary.

Such consent could read as follows:
“I agree that a credit check will be conducted to make an automated decision (Art. 22 GDPR) about whether the purchase on account option is offered. Further information about the credit check, the credit agencies used, the process, and the objection options can be found in our [Link]Privacy Policy[/Link].”

14. Credit Check

14.1. If we provide services in advance (e.g., purchase on account), we reserve the right to obtain a credit report to assess credit risk based on mathematical-statistical procedures from specialized service providers (credit agencies) to safeguard our legitimate interests.

14.2. For the purpose of the credit check, we will transfer the following personal data of the customer (name, postal address, date of birth, contract details, bank details [please specify other relevant data]) to the following credit agencies: [Please specify the credit agencies, e.g.,] SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Privacy Notice: https://www.schufa.de/de/ueber-uns/daten-scoring/.

14.3. We will process the information received from the credit agencies regarding the statistical probability of default within a reasonable discretion to determine the establishment, performance, and termination of the contractual relationship. In case of a negative credit report, we reserve the right to refuse payment by invoice or any other advance payment.

14.4. The decision on whether we provide services in advance is made solely on the basis of automated individual decisions as defined by Article 22 GDPR, which are performed by our software based on the information provided by the credit agency.

14.5. If we obtain explicit consent from you, the legal basis for the credit report and the transfer of customer data to the credit agencies is consent in accordance with Article 6(1)(a), Article 7 GDPR. If no consent is obtained, our legitimate interests in securing our payment claims form the legal basis under Article 6(1)(f) GDPR.

15. Contact and Customer Support

15.1. When contacting us (via contact form or email), the user’s details are processed to handle the inquiry and its resolution in accordance with Article 6(1)(b) GDPR.

15.2. The user’s information may be stored in our Customer Relationship Management system (CRM) or a similar request management system.

15.3. We delete inquiries when they are no longer necessary. We review necessity every two years; inquiries from customers who have a user account are stored permanently, and deletion is subject to the information provided in the customer account section. Additionally, statutory archiving obligations apply.

16. Collection of Access Data and Log Files

16.1. Based on our legitimate interests according to Article 6(1)(f) GDPR, we collect data about every access to the server where this service is located (so-called server log files). Access data includes the name of the accessed web page, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

16.2. Log file information is stored for security reasons (e.g., to investigate abuse or fraud) for a maximum of seven days and then deleted. Data that needs to be retained for evidential purposes is excluded from deletion until the incident is fully resolved.

17. Online Presence in Social Media

17.1. We maintain an online presence on social networks and platforms based on our legitimate interests pursuant to Article 6(1)(f) GDPR to communicate with active customers, interested parties, and users and to inform them about our services. The terms and data processing policies of the respective operators apply when accessing the respective networks and platforms.

17.2. If not otherwise stated in our privacy policy, we process the data of users who interact with us within social networks and platforms (e.g., posting on our profiles or sending us messages).

18. Google Analytics

18.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online services within the meaning of Article 6(1)(f) GDPR), we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online services by users is generally transmitted to a Google server in the USA and stored there.

18.2. Google is certified under the Privacy Shield agreement, providing a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

18.3. Google will use this information on our behalf to evaluate the use of our online services by users, compile reports on activities within this online offering, and provide us with other services related to the use of this online offering and the internet. In doing so, pseudonymous usage profiles of the users may be created from the processed data.

18.4. We only use Google Analytics with activated IP anonymization. This means that the IP address of users is shortened by Google within member states of the European Union or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

18.5. The IP address transmitted by the user’s browser will not be merged with other data from Google. Users can prevent the storage of cookies by configuring their browser software accordingly. Furthermore, users can prevent the collection of the data generated by the cookie and related to their use of the online services by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

18.6. For further information on data usage by Google, setting options, and objection possibilities, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (Data usage by Google when you use websites or apps of our partners), https://policies.google.com/technologies/ads (Data usage for advertising purposes), https://adssettings.google.com/authenticated (Manage information Google uses to show you ads).

19. Google Re/Marketing Services

19.1. We use the marketing and remarketing services (hereafter “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR).

19.2. Google is certified under the Privacy Shield Agreement, which ensures compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

19.3. Google Marketing Services enable us to display targeted advertisements on and within our website, to show users ads that align with their potential interests. For instance, if users are shown ads for products they have been interested in on other websites, this is known as “remarketing.” When users visit our website or other websites using Google Marketing Services, a Google code is directly executed, and (re)marketing tags (invisible graphics or code, also called “Web Beacons”) are embedded into the website. This allows a unique cookie to be stored on the user’s device (other similar technologies may be used instead of cookies). Cookies may be set from different domains, such as google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. The file contains data on which websites the user has visited, the content they are interested in, and which offers they clicked on. It also stores technical information about the browser and operating system, referring websites, visit time, and other details about the use of the online offering. The IP address of the user is also collected, though Google Analytics anonymizes IP addresses within member states of the European Union or other contracting states of the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the USA and truncated there. The IP address will not be merged with data about the user within other Google services. The aforementioned information may also be combined by Google with other sources of information. If the user visits other websites, tailored ads matching their interests can be shown.

19.4. The users’ data is processed pseudonymously within Google Marketing Services. This means Google does not store and process data such as the user’s name or email address but processes relevant data in a cookie-based manner within pseudonymous user profiles. From Google’s perspective, ads are managed and displayed for the cookie holder, not for an individually identified person. This does not apply if a user has explicitly allowed Google to process data without pseudonymization. The information collected about users by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.

19.5. One of the Google Marketing Services we use is the online advertising program “Google AdWords.” In the case of Google AdWords, each AdWords customer receives a different “conversion cookie.” Cookies can therefore not be tracked across the websites of AdWords customers. The information obtained using the cookie helps generate conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag, but they do not receive any information that personally identifies users.

19.6. We may incorporate third-party advertisements based on Google Marketing Services such as “DoubleClick.” DoubleClick uses cookies that allow Google and its partner websites to display ads based on users’ visits to this or other websites on the internet.

19.7. We may also use the “AdSense” service, which allows us to display third-party ads. AdSense uses cookies that enable Google and its partner websites to serve ads based on users’ visits to this or other websites.

19.8. We may also use “Google Optimizer.” Google Optimizer allows us to track how various changes to a website (e.g., changes to input fields or design) impact users through A/B testing. Cookies are stored on the users’ devices for these testing purposes, and only pseudonymous data of the users is processed.

19.9. Additionally, we may use the “Google Tag Manager” to integrate and manage Google analysis and marketing services into our website.

19.10. For more information on data usage for marketing purposes by Google, please refer to: https://policies.google.com/technologies/ads, and Google’s privacy policy at: https://adssettings.google.com/authenticated.

Furthermore, we use Facebook’s “advanced matching” feature with the Facebook pixel (e.g., passing data such as phone numbers, email addresses, or Facebook IDs) to create target groups (“Custom Audiences” or “Look Alike Audiences”). The data is encrypted and transferred to Facebook. Further details on “advanced matching” can be found here: https://www.facebook.com/business/help/611774685654668.

We also use the “Custom Audiences from File” procedure on Facebook. In this case, the email addresses of newsletter recipients are uploaded to Facebook. The upload is encrypted and is solely used to determine recipients of our Facebook ads. We want to ensure that the ads are only shown to users who are interested in our information and services.

Opt-Out Notice

Please note that Facebook does not currently offer an opt-out option when this template was created, and you must implement it yourself. If not, you must remove this section. Implementation can be done via JavaScript (setting the opt-out link) and via PHP on page load (checking if the opt-out cookie is set and only loading the Facebook pixel when the result is negative). When a user visits the website, you must check if the “Opt-Out” cookie is set. If it is, the “Facebook Pixel” must not be loaded.

If you implement your own opt-out, please add the following:

To prevent the collection of your data via the Facebook Pixel on our website, please click the following link: Facebook Opt-Out. Note: When you click the link, an “Opt-Out” cookie will be stored on your device. If you delete the cookies in your browser, you must click the link again. The opt-out only applies within the browser you are using and only within our web domain where the link was clicked.

20. Facebook, Custom Audiences, and Facebook Marketing Services

20.1. Within our online offering, we use the “Facebook Pixel” of the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), based on our legitimate interests in the analysis, optimization, and economic operation of our online offering for these purposes.

20.2. Facebook is certified under the Privacy Shield Agreement, ensuring compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

20.3. With the help of the Facebook Pixel, Facebook can determine visitors to our online offering as a target group for displaying advertisements (so-called “Facebook Ads”). We use the Facebook Pixel to display Facebook Ads to users who have shown interest in our online offering or exhibit specific characteristics (e.g., interests in certain topics or products based on the websites they visited) that we transmit to Facebook (so-called “Custom Audiences”). We also use the Facebook Pixel to ensure that our Facebook Ads align with potential user interests and are not perceived as intrusive. Additionally, the Facebook Pixel helps us measure the effectiveness of Facebook ads for statistical and market research purposes by tracking whether users are redirected to our website after clicking on a Facebook ad (so-called “Conversion”).

20.4. Facebook processes data in accordance with Facebook’s Data Use Policy. General information on the presentation of Facebook Ads is available in Facebook’s Data Use Policy: https://www.facebook.com/policy.php. Specific details on the Facebook Pixel and how it works can be found in Facebook’s Help section: https://www.facebook.com/business/help/742478679120153?id=1205376682832142.

20.5. You can object to the collection of your data via the Facebook Pixel and the use of your data for displaying Facebook Ads. To adjust the types of ads you are shown within Facebook, you can visit the Facebook settings page and follow the instructions on usage-based advertising settings: https://www.facebook.com/settings?tab=ads. These settings apply across platforms, meaning they will be applied to all devices, including desktop computers and mobile devices.

20.6. You can also opt out of the use of cookies for reach measurement and advertising purposes through the Network Advertising Initiative’s opt-out page (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

21. Facebook Social Plugins

21.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering per Art. 6(1)(f) GDPR), we use social plugins (“Plugins”) of the social network Facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins may display interaction elements or content (e.g., videos, graphics, or text posts) and are recognizable by one of the Facebook logos (a white “f” on a blue tile, the terms “Like”, “Gefällt mir”, or a “thumbs up” sign), or are marked with the label “Facebook Social Plugin.” You can view the list and appearance of Facebook Social Plugins here: https://developers.facebook.com/docs/plugins/.

21.2. Facebook is certified under the Privacy Shield Agreement, ensuring compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

21.3. When a user accesses a feature of our online offering that contains such a plugin, their device establishes a direct connection with Facebook’s servers. The content of the plugin is transmitted by Facebook directly to the user’s device and integrated into the online offering. This allows usage profiles to be created from the processed data. We have no control over the extent of the data that Facebook collects using this plugin, and we inform users according to our level of knowledge.

21.4. By integrating the plugin, Facebook receives the information that a user has accessed the corresponding page of our online offering. If the user is logged into Facebook, Facebook can associate the visit with the user’s Facebook account. If users interact with the plugins, such as pressing the “Like” button or leaving a comment, the corresponding information is transmitted directly from their device to Facebook and stored there. Even if a user is not a Facebook member, there is still the possibility that Facebook will obtain and store their IP address. According to Facebook, only anonymized IP addresses are stored in Germany.

21.5. For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as the relevant rights and settings options for protecting user privacy, users can refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

21.6. If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their Facebook-stored member data, they must log out of Facebook and delete their cookies before using our online offering. Additional settings and objections to the use of data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads, via the US page http://www.aboutads.info/choices/, or the EU page http://www.youronlinechoices.com/. These settings apply across platforms, meaning they are applied to all devices, such as desktop computers or mobile devices.

https://matomo.org/docs/privacy/#step-3-include-a-web-analytics-opt-out-feature-on-your-site-using-an-iframe.

22. Reach Analysis with Matomo

22.1. In the context of reach analysis with Matomo, we process the following data based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering according to Art. 6(1)(f) GDPR): the type and version of the browser you are using, the operating system you are using, your country of origin, the date and time of the server request, the number of visits, your time spent on the website, and any external links you clicked. The user’s IP address is anonymized before being stored.

22.2. Matomo uses cookies that are stored on the user’s computer and enable an analysis of how our online offering is used by users. Pseudonymous user profiles can be created from the processed data. The cookies are stored for one week. The information generated by the cookie about your use of this website is stored exclusively on our server and is not passed on to third parties.

22.3. Users can object to the anonymized data collection by Matomo at any time with effect for the future by clicking on the link below. In this case, an “Opt-Out” cookie will be stored in your browser, which means that Matomo will no longer collect any session data. However, if users delete their cookies, the Opt-Out cookie will also be deleted, and users will need to activate it again.

22.4. [Please insert the Matomo IFRAME here with the opt-out cookie (and enable IP anonymization in the settings area)].

23. Jetpack (WordPress Stats)

23.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering according to Art. 6(1)(f) GDPR), we use the Jetpack plugin (specifically the “WordPress Stats” sub-function), which integrates a tool for statistical analysis of visitor traffic, provided by Automattic, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA. Jetpack uses so-called “cookies,” which are text files stored on your computer that enable an analysis of your use of the website.

23.2. Automattic is certified under the Privacy Shield Agreement, ensuring compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).

23.3. The information generated by the cookie about your use of this online offering is stored on a server in the USA. The processed data can be used to create user profiles, but these are only used for analysis purposes, not for advertising. Further information can be found in Automattic’s privacy policy: https://automattic.com/privacy/ and information on Jetpack cookies: https://jetpack.com/support/cookies/.

24. etracker

24.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering according to Art. 6(1)(f) GDPR), we use the analytics service “etracker” from etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

24.2. Pseudonymous user profiles can be created from the data processed by etracker. Cookies may also be used for this purpose, enabling your browser to be recognized. The data collected using etracker technologies will not be used to personally identify visitors to our website without the explicit consent of the person concerned and will not be merged with personal data about the bearer of the pseudonym. Additionally, personal data is processed only for us and is not merged with personal data collected through other online offerings.

24.3. You can object to the data collection and storage by etracker at any time with effect for the future. To object to the collection and storage of your visitor data for the future, you can obtain an Opt-Out cookie from etracker at the following link, which will prevent future collection and storage of your browser’s visitor data by etracker: http://www.etracker.de/privacy?et=Account-ID [Please insert your Account ID here].

24.4. By opting out, an Opt-Out cookie named “cntcookie” will be set by etracker. Please do not delete this cookie as long as you wish to maintain your objection. Further information can be found in etracker’s privacy policy: http://www.etracker.com/de/datenschutz.html.

25. Criteo

25.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering in accordance with Art. 6(1)(f) GDPR), we use the services of Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany.

25.2. Criteo’s services allow us to display more targeted ads on and for our website, showing users ads that potentially match their interests. For example, if a user is shown ads for products they were interested in on other websites, this is called “remarketing.” For this purpose, when visiting our website and other websites where Criteo is active, a code is executed by Criteo, and (re)marketing tags (invisible graphics or code, also known as “web beacons”) are embedded into the website. These allow Criteo to store a unique cookie on the user’s device (or use similar technologies instead of cookies). This file records which websites the user visited, the content they were interested in, which offers they clicked on, as well as technical information about the browser and operating system, referring websites, the time of the visit, and other data on the use of the online offering. This information may also be combined with data from other sources by Criteo. When the user visits other websites, they may be shown personalized ads tailored to their interests.

25.3. For more information, as well as ways to opt out of data collection by Criteo, please refer to Criteo’s privacy policy: https://www.criteo.com/de/privacy/.

26. Amazon Affiliate Program

26.1. Based on our legitimate interests (i.e., interest in the economic operation of our online offering in accordance with Art. 6(1)(f) GDPR), we participate in the Amazon EU Affiliate Program, which is designed to provide a medium for websites to earn advertising fees by placing ads and links to Amazon.de. Amazon uses cookies to track the origin of orders. Among other things, Amazon can recognize that you clicked the partner link on this website.

26.2. For more information on how Amazon uses your data, please refer to the company’s privacy policy: http://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=3312401.

27. Communication via Post, Email, Fax, or Telephone

27.1. We use means of remote communication such as post, telephone, or email for business purposes and marketing. In doing so, we process customers’ personal data, including name, address, contact details, and contract data, from customers, participants, interested parties, and communication partners.

27.2. The processing of this data is based on Art. 6(1)(a), Art. 7 GDPR, and Art. 6(1)(f) GDPR in connection with legal requirements for promotional communications. Contacting is only done with the consent of the contact partners or as permitted by law, and the processed data is deleted as soon as it is no longer required or when consent is withdrawn, or other legal grounds for retention expire.

Note: Please include a disclaimer in the registration process, i.e., in the registration form, regarding the newsletter’s content and the evaluation of opening and click behavior, for example:

“Our newsletter contains information about our products, offers, promotions, and company. You can find more information on data protection, revocation, and the logging of data in our [LINK]privacy policy[/Link].”

If you use a service provider for sending the newsletters, add information about this provider here:

For EU-based provider: “The newsletter is sent by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. You can view their privacy policy here: https://www.cleverreach.com/de/datenschutz/.”

For US-based provider: “The newsletter is sent via ‘MailChimp,’ a newsletter platform by Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view their privacy policy here: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, ensuring compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).”

Note on legal basis: Please select the appropriate version for either Germany or Austria. In Austria, be aware of the “ECG List” (https://www.rtr.at/de/tk/TKKS_Spam) maintained by the Regulatory Authority for Telecommunications and Broadcasting (RTR-GmbH), which lists email addresses to which no commercial emails may be sent.

28. Newsletter

28.1. The following section provides information on the content of our newsletter, as well as the registration, shipping, and statistical analysis procedures and your right to object. By subscribing to our newsletter, you agree to the receipt and the described procedures.

28.2. Newsletter Content: We send newsletters, emails, and other electronic notifications containing promotional information (hereinafter “newsletter”) only with the recipient’s consent or legal permission. If the content of the newsletter is specifically described in the registration process, it is decisive for the user’s consent. Otherwise, our newsletters contain information about our products, offers, promotions, and our company.

28.3. Double Opt-In and Logging: Registration for our newsletter follows a “double opt-in” process. After signing up, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent someone from registering with external email addresses. Newsletter registrations are logged to verify the registration process under legal requirements. This includes storing the registration and confirmation time and the user’s IP address. Changes to your data stored by the shipping provider are also logged.

28.4. Shipping Provider: The newsletter is sent via “MailChimp,” a US-based newsletter platform by Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view their privacy policy here: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, ensuring compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

28.5. As far as we use a shipping provider, they may use this data in pseudonymous form, i.e., without assigning it to a specific user, to optimize or improve their services, such as for the technical optimization of the shipment and presentation of the newsletters or for statistical purposes to determine the recipients’ countries. However, the shipping provider does not use the data of our newsletter recipients to address them directly or pass it on to third parties.

28.6. Registration Data: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to provide a name for personalized communication.

28.7. Performance Measurement: The newsletters contain a “web-beacon,” i.e., a pixel-sized file retrieved from our server, or the shipping provider’s server, when the newsletter is opened. This retrieval initially collects technical information, such as your browser and system information, as well as your IP address and the time of retrieval. This information is used for technical improvement of the services based on technical data or the target groups and their reading behavior based on their locations (which can be determined using the IP address) or access times. Statistical surveys also determine whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, neither we nor the shipping provider, if used, aim to monitor individual users. The evaluations serve to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

28.8. Germany: The newsletter shipping and performance measurement is based on the recipient’s consent per Art. 6(1)(a), Art. 7 GDPR, and § 7(2)(3) UWG or based on the legal permission under § 7(3) UWG.

28.9. Austria: The newsletter shipping and performance measurement is based on the recipient’s consent per Art. 6(1)(a), Art. 7 GDPR, and § 107(2) TKG or based on the legal permission under § 107(2) and (3) TKG.

28.10. Logging the registration process is based on our legitimate interests per Art. 6(1)(f) GDPR and serves to provide evidence of consent to receive the newsletter.

28.11. Newsletter Recipients: You can cancel the receipt of our newsletter at any time, i.e., revoke your consent. A link to cancel the newsletter is included in every newsletter. When you cancel the newsletter, your consent to its performance measurement is simultaneously terminated. Unfortunately, separate revocation of the performance measurement is not possible; in this case, the entire newsletter subscription must be canceled. Upon unsubscribing from the newsletter, personal data is deleted unless its retention is legally required or justified, with processing limited to these exceptional purposes. We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. A request for individual deletion is possible at any time, provided the former existence of consent is confirmed.

29. Integration of Third-Party Services and Content

29.1. We incorporate third-party content and service offerings within our online presence based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offerings as per Art. 6(1)(f) of the GDPR). This includes embedding content such as videos and fonts (collectively referred to as “Content”). This integration always requires that third-party content providers receive the users’ IP addresses, as they cannot send the content to users’ browsers without this information. Therefore, the IP address is necessary for displaying this content. We strive to use only those services whose providers use the IP address solely for delivering the content. Additionally, third parties may use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Through these pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the users’ devices, containing technical information about the browser and operating system, referring websites, visit times, and further details about the usage of our online offerings. This information can also be linked with data from other sources.

29.2. The following overview provides information about third-party providers and their content, along with links to their privacy policies, which include additional details on data processing and, in some cases mentioned here, options to object (commonly known as opt-out):

  • If our customers use third-party payment services (e.g., PayPal or Sofortüberweisung), the terms and conditions and privacy notices of the respective third parties apply, which can be accessed on their websites or transaction applications.

  • External Fonts from Google, LLC: Google Fonts. The integration of Google Fonts occurs through a server request to Google (usually in the USA). Privacy Policy: Google Privacy Policy, Opt-Out: Google Ads Settings.

  • Maps from the service “Google Maps” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: Google Privacy Policy, Opt-Out: Google Ads Settings.

  • Videos from the platform “YouTube” provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: Google Privacy Policy, Opt-Out: Google Ads Settings.

  • Functions of the service Google+ are integrated within our online offerings, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged into your Google+ account, you can link the content of our pages to your Google+ profile by clicking the Google+ button. This allows Google to associate your visit to our pages with your user account. We would like to point out that as the provider of the pages, we do not have knowledge of the content of the transmitted data or its usage by Google+. Privacy Policy: Google Privacy Policy, Opt-Out: Google Ads Settings.

  • Functions of the service Instagram are integrated into our online offerings. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to our pages with your user account. We want to emphasize that as the provider of the pages, we do not have knowledge of the content of the transmitted data or its usage by Instagram. Privacy Policy: Instagram Privacy Policy.

  • We use social plugins from the social network Pinterest, operated by Pinterest Inc., 635 High Street, Palo Alto, CA 94301, USA (“Pinterest”). If you access a page that contains such a plugin, your browser establishes a direct connection to Pinterest’s servers. The plugin transmits log data to Pinterest’s server in the USA. This log data may include your IP address, the address of the visited websites that also contain Pinterest functions, the type and settings of your browser, the date and time of the request, your usage of Pinterest, and cookies. Privacy Policy: Pinterest Privacy Policy.

  • Functions of the service or platform Twitter are integrated into our online offerings (hereinafter referred to as “Twitter”). Twitter is a service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include displaying our posts on Twitter within our online offerings, linking to our profile on Twitter, as well as interacting with the posts and functions of Twitter, and measuring whether users access our online offerings through ads we run on Twitter (known as conversion measurement). Twitter is certified under the Privacy Shield agreement, ensuring compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy Policy: Twitter Privacy Policy, Opt-Out: Twitter Personalization.